Page MenuHomePhorge

Support OAuth login via GitHub/Google/etc?
Open, Needs TriagePublic


I just had a Wikimedia colleague ask me about why Phorge doesn't support oauth logins. Is that something we want to enable?

Documentation (that maybe deserve an update):

  • GitHub done by kind avivey
  • Google
  • other stuff?

About GitHub

About GitHub, these are the persons that can create the OAuth Consumer in that platform at the moment:

Event Timeline

I think this would be reasonable but I think it requires setting up an account on GitHub or Google on behalf of Phorge (rather than using a member's personal account). If someone wants to set up a GitHub/Google account for phorge we can set it up here. It'll require an email address though and I'm not sure how to handle an organization email like that.

@speck we can use the existing GitHub organization for oauth. (an owner can setup the app in settings)

And for google you don't need to provide an email, you can also just get a gmail address.

For Google, you can sign up for a Cloud Identity Free tenant and then set up the Oauth app inside Google Cloud. The Cloud Identity free system is basically Google Workspace/GSuite's user management system only.

Advantage is that it provisions a GCP organization, so admins can manage permissions for separate envs (dev/staging/prod projects, each containing separate oauth integrations) from one place. If you have an existing working group email (think a relevant email list), you can re-'create' that in the Cloud Identity system as a Google group (so it shows up in Google, email still goes to the group as per your existing setup) and then you'll have the option to show that email instead of an individual contributor's email on the oauth2 consent screen (see doc for what I mean by this).

Another advantage (probably not so relevant right now, if ever) is that if even one part of Phorge for whatever reason wants Google to supply Workspace/GSuite services (whether through Nonprofit offer/paid etc.), its relatively trivial to have Google apply the change to your existing tenant and everyone who needs access is already set up on that end.

Am happy to help with getting this part of the process rolling if you want.

@speck I saw you commented earlier about this and am not sure if this was something you managed to do, or if you wanted someone else to handle the task?

With Google, it would be a matter of creating individual accounts in the free Cloud Identity tenant and then giving access as needed.

If you wanted to ensure a break glass account for admin access, you could set up such an account via a password store- there are ways both through GPG and OSS donation programs (e.g 1Password's free for OSS team plan) to make that happen.

Should we support oauth login via github/google/etc?


@avivey using your Google and GitHub accounts create OAuth supports. You first need to unlock Auth modifications to Auth.

avivey renamed this task from Should we support oauth login via github/google/etc? to Support oauth login via github/google/etc?.Apr 7 2023, 08:02
Cigaryno edited projects, added Governance; removed install.

sorry for removing Governance, the editor somehow bugged and i can't use 2 tags at once here :(.

I've enabled OAUTH using Github.

valerio.bozzolan renamed this task from Support oauth login via github/google/etc? to Support OAuth login via GitHub/Google/etc?.Jun 30 2023, 08:02
valerio.bozzolan updated the task description. (Show Details)

Just tested the GitHub OAuth and I can confirm that it works perfectly, thanks! :)